Most security practitioners know to make passwords unique and complicated—if they haven’t already abandoned them for passkeys and biometrics—but IT pros who spoke with IT Brew have another reminder for employees logging in: Ditch the used username, unless you want to supply prying hackers with persona-identifying clues.

“Is having the same username across your online profiles as big a risk as having the same password? Absolutely not. Is it a risk to your privacy and data protection more generally? Yes, it is,” Damian Archer, VP of consulting and professional services, Americas, at Trustwave, told IT Brew.

Archer laid out two main threats related to usernames.

• Breaches. Once an attacker knows a username from a given site, the actor, perhaps looking to build a dossier of info on a target, can comb through password-breach databases for the other important half of the credential. “Then, you might find a different password that you can use,” Archer said. Stolen credentials played a leading role in 2023’s data thefts; they were the initial step in 24% of breaches, according to Verizon’s recently released Data Breach Investigations Report, which studied incidents between November 2022 and October 2023.
• Privacy. A repeated, revealing username deployed on early websites—maybe a MySpace page or a band forum—could potentially be used as extortion, according to Archer. “You can find pieces of information that might be tied to that user that they’ve completely forgotten about,” he told us.

Pure extortion attacks, often defined as threats to leak stolen data (without encrypting it), increased over the past year. According to Verizon’s data breach report, the tactic featured in 9% of the breaches the company recorded.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected].

In today’s digital-first world, solid cybersecurity isn’t optional…but it can be complicated. You need a holistic cybersecurity program with standards and guidelines that’ll help mitigate risk.

And that’s where Veeam comes in. Check out Building a Cyber-Resilient Data Recovery Strategy, the new whitepaper that digs into the NIST Cybersecurity Framework 2.0 and how orgs can use it to transform their security strategy.

Grab the full guide to learn how to:

• Empower IT to actively participate in your org’s cybersecurity plan.
• Harness Veeam’s capabilities in your strategy.

You’ll find insights about the framework and learn how Veeam can help you create a cyber-resilient recovery strategy. And once you’ve studied up, try Veeam’s Data Platform free for 30 days.

Last month Microsoft discovered a “vulnerability pattern in multiple popular Android applications,” according to a post from Microsoft’s Threat Intelligence team. The flaw would allow bad actors to “trick a vulnerable app into overwriting critical files within its private storage space,” Android Authority also reported.

“We identified several vulnerable applications in the Google Play Store that represented over 4 billion installations,” Microsoft shared in its blog post.

Michael Peck, the principal security research lead at Microsoft, told IT Brew in an email that these types of vulnerabilities, known as “directory traversal vulnerabilities,” are “unfortunately widespread,” so much so that CISA published an alert diving into the ways threat actors are using directory traversal to infiltrate systems.

“However, Android sandboxes each app, protecting its data from other apps on the device, and we believe this vulnerability pattern is notable for enabling that protection to be bypassed,” he added.

Read more here.—AF

Do you work in IT or have information about your IT department you want to share? Email [email protected].

Like Joel Goodsen home alone for a weekend, data protection can be risky business.

Padraic O’Reilly, co-founder and chief innovation officer of CyberSaint Security in Massachusetts, believes the best way to manage risk is to run organizational frameworks with an eye toward proactive security protection.

It’s part of what he describes as a changing conversation about using AI to facilitate data supervision, he told IT Brew at the RSA Conference in early May.

“The data is so rich in cyber, and so complex,” O’Reilly said. “The number of inputs and the logical connections among those inputs—you almost need AI to fully solve cyber risk.”

Top level. As CFO Brew has reported, C-suite concerns over risk reporting and regulations have been adding to executive stress—so much so that they’re leaning on insurance companies to write policy and relying on AI to pick up the slack.

Companies like California-based Ninjio provide an aspect of that solution, using risk scores to calculate company vulnerability, president and CEO Shaun McAlmont told IT Brew.

Keep reading here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].